b'Pension Benefit Guaranty Corporation\n      Office of Inspector General\n               Audit Report\n\n\n\n\n  Report on Internal Controls Related to the\nPension Benefit Guaranty Corporation\xe2\x80\x99s Fiscal\nYear 2010 and 2009 Financial Statements Audit\n\n\n\n\n             November 12, 2010\n                                   AUD-2011-3/FA-10-69-2\n\x0c\x0c                 Report on Internal Controls Related to the\n                  Pension Benefit Guaranty Corporation\xe2\x80\x99s\n              Fiscal Year 2010 and 2009 Financial Statements\n\n                   Audit Report AUD-2011-3 / FA-10-69-2\n\n\n                                   Contents\n\n\nSection I:     Independent Auditor\xe2\x80\x99s Report\n\nSection II:    Management Comments\n\n                                  Acronyms\n\nBPD            Bureau of Public Debt\nC&A            Certification and Accreditation\nCAP            Corrective Action Plan\nCFS            Consolidated Financial System\nCOOP           Continuity of Operations Program\nEDM            Enterprise Data Model\nELAN           Enterprise Local Area Network\nFIPS PUB       Federal Information Processing Standards Publication\nFMFIA          Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\nFY             Fiscal Year\nIAA            Interagency Agreement\nIAH            Information Assurance Handbook\nIPVFB          Integrated Present Value of Future Benefits\nISO            Information System Owner\nIT             Information Technology\nNIST SP        National Institute of Standards and Technology Special Publication\nOIG            Office of Inspector General\nOIT            Office of Information Technology\nOMB            Office of Management and Budget\nPAS            Premium Accounting System\nPBGC           Pension Benefit Guaranty Corporation\nPII            Personally Identifiable Information\nPPS            Premium and Practitioner System\nPRISM          Participant Records Information Systems Management\nRTM            Requirements Traceability Matrix\nTAS            Trust Accounting System\n\x0c   Report on Internal Controls Related to the\n    Pension Benefit Guaranty Corporation\xe2\x80\x99s\nFiscal Year 2010 and 2009 Financial Statements\n\n\n\n    Audit Report AUD-2011-3 / FA-10-69-2\n\n\n\n\n                 Section I\n\n     Independent Auditor\xe2\x80\x99s Report\n\x0c\xef\x81\xa1\xef\x80\xb1                                                    \xef\x80\xa0\n                                                      \xef\x80\xa0\n\n\n                                    Pension Benefit Guaranty Corporation\n\n\nTo the Board of Directors, Management,\nand Inspector General of the\nPension Benefit Guaranty Corporation\nWashington, DC\n\n\nWe have audited the financial statements of the Pension Benefit Guaranty Corporation (PBGC)\nas of and for the year ended September 30, 2010, and have examined management\xe2\x80\x99s assertion\nincluded in PBGC\xe2\x80\x99s Annual Report about the effectiveness of the internal control over financial\nreporting (including safeguarding assets) and PBGC\'s compliance with certain provisions of\nlaws, regulations, and other matters, and have issued our combined report thereon dated\nNovember 12, 2010 (see OIG report AUD-2011-2/FA-10-69-1).\n\nWe conducted our audit and examination in accordance with auditing standards generally\naccepted in the United States of America; Government Auditing Standards, issued by the\nComptroller General of the United States; attestation standards established by the American\nInstitute of Certified Public Accountants; and Office of Management and Budget (OMB) audit\nguidance.\n\nThe purpose of this report is to provide more detailed discussions of the specifics underlying the\nmaterial weakness reported in the internal control section of our combined report on PBGC\xe2\x80\x99s\nfiscal year (FY) 2010 financial statements. As reported in our combined report on PBGC\xe2\x80\x99s\nFY 2010 financial statements, we identified certain deficiencies in internal control that we\nconsider significant deficiencies, which combined constitute a material weakness.\n\nSummary\n\nPBGC protects the pensions of approximately 44 million workers and retirees in more than\n27,500 private defined benefit pension plans. Under Title IV of the Employee Retirement Income\nSecurity Act of 1974, PBGC insures, subject to statutory limits, pension benefits of participants\nin covered private defined benefit pension plans in the United States. To accomplish its mission\nand prepare its financial statements, PBGC relies extensively on information technology (IT).\nInternal controls over these operations are essential to ensure the confidentiality, integrity, and\navailability of critical data while reducing the risk of errors, fraud, and other illegal acts.\n\nOur review of IT controls covered general and selected business process application controls.\nGeneral controls are the structure, policies, and procedures that apply to an entity\xe2\x80\x99s overall\ncomputer systems. They include entity-wide security management, access controls,\nconfiguration management, segregation of duties and contingency planning controls. Business\nprocess application controls are those controls over the completeness, accuracy, validity,\nconfidentiality, and availability of transactions and data during application processing.\n\n\n11710 Beltsville Drive, Suite 300\nCalverton, MD 20705-3106\ntel: 301-931-2050\nfax: 301-931-1710\nwww.cliftoncpa.com\n                                                     1\n                                                                                    \xef\x81\xa8\xef\x80\xa0\n\x0cOur review also included the integration of financial management systems to ensure effective\nand efficient interrelationships. These interrelationships include common data elements,\ncommon transaction processing, consistent internal controls, and transaction entry.\n\nPBGC\xe2\x80\x99s systemic security control weaknesses and the lack of an integrated financial\nmanagement system continued to pose an increasing and substantial risk to PBGC\xe2\x80\x99s ability to\ncarry out its mission during FY 2010. PBGC\xe2\x80\x99s key decision makers are acutely aware of the\nchallenges facing the Corporation in addressing fundamental weaknesses in its IT infrastructure\nand environment. Management has therefore taken a multiyear approach to correct these\ndeficiencies at the root cause level. However, in past years, communication between PBGC\xe2\x80\x99s\nkey decision makers did not convey the urgent need for decisive strategic decisions to correct\nfundamental weaknesses in PBGC\xe2\x80\x99s IT infrastructure and environment. Strategic IT decisions\ndid not address these deficiencies, and significant weaknesses identified in prior years,\ncontinued to persist.\n\nPBGC\xe2\x80\x99s decentralized approach to system development and configuration management has\nexacerbated control weaknesses and encouraged inconsistency in implementing strong\ntechnical controls and best practices. The influx of 620 plans for over 800,000 participants from\n2002-2005, contributed to PBGC\xe2\x80\x99s disjointed IT development and implementation strategy. The\nmandate to meet PBGC\xe2\x80\x99s mission objectives by implementing technologies to receive the influx\nof plans superseded proper enterprise planning and IT security controls. The result was a series\nof stovepipe solutions built upon unplanned and poorly integrated heterogeneous technologies\nwith varying levels of obsolescence.\n\nThe Corporation has now embarked on a more coherent strategy and cost effective approach to\nresolving and correcting these fundamental IT weaknesses. PBGC has developed and is\nimplementing a multi-year corrective action plan (CAP) to address security issues at the root\ncause level. However, PBGC management realizes these weaknesses will continue to pose a\nthreat to its environment for several years while corrective actions are being implemented.\nPBGC will need to implement interim corrective actions to ensure fundamental security\nweaknesses do not worsen as the CAP is being implemented.\n\nPBGC has entered into an interagency agreement (IAA) with the Bureau of Public Debt (BPD)\nof the Department of the Treasury to assist PBGC in revising and strengthening its security\nmanagement program and certification and accreditation (C&A) process. The multi-year CAP\nincludes the implementation of a more effective C&A process, addressing fundamental security\nweaknesses and initiating an IT infrastructure modernization program. In FY 2010, PBGC\nprocured and implemented new hardware in its infrastructure, as it works towards modernization\nof its IT infrastructure. Additional future actions include completing PBGC\xe2\x80\x99s Enterprise\nArchitecture segment.\n\nOur current year audit work continued to find deficiencies in the areas of security management,\naccess controls, configuration management, and segregation of duties. Control deficiencies\nwere also found in policy administration, and the C&As of major applications and general\nsupport systems. An effective entity-wide security management program requires a coherent\nstrategy for the architecture of the IT infrastructure, and the deployment of systems. The\nimplementation of a coherent strategy provides the basis and foundation for the consistent\napplication of policy, controls, and best practices. PBGC first needs to develop and implement a\nframework to improve their security posture. This framework will require time for effective control\nprocesses to mature.\n\n\n\n                                                2\n\x0cBased on our findings, we are reporting that significant deficiencies in the following areas\nconstitute a material weakness for FY 2010:\n\n   1. Entity-wide security program planning and management\n   2. Access controls and configuration management\n   3. Integrated financial management systems\n\nDetailed findings and recommendations follow.\n\n1. Entity-wide Security Program Planning and Management\n\n   During FY 2010, PBGC made strategic decisions to develop and implement a multi-year\n   CAP to address fundamental weaknesses in its entity-wide security program planning and\n   management. PBGC entered into an IAA for the services of the BPD to assist the\n   Corporation in reassessing its security program and developing a framework for\n   implementing a more coherent strategy for correcting fundamental IT security weaknesses\n   at the root cause level. However, in past years, communication between PBGC\xe2\x80\x99s key\n   decision makers did not convey the urgent need for decisive strategic decisions to correct\n   fundamental weaknesses in PBGC\xe2\x80\x99s IT infrastructure and environment. Strategic IT\n   decisions did not address these deficiencies, and significant weaknesses continued to\n   persist. PBGC management realizes these weaknesses will continue to pose a threat to its\n   environment for several years while corrective actions are being implemented.\n\n   PBGC abandoned its C&A documentation and is working with BPD to revise and strengthen\n   its C&A process to ensure security weaknesses are addressed at the root cause level.\n   PBGC did not conduct any C&As in FY 2010. The Corporation has implemented a\n   multi-year plan to correct its C&As.\n\n   In prior years, PBGC\xe2\x80\x99s entity-wide security program lacked focus and a coordinated effort to\n   adequately resolve control deficiencies. These deficiencies, which continue to persist,\n   prevent PBGC from implementing effective security controls to protect its information from\n   unauthorized access, modification, and disclosure. The specific weaknesses we found that\n   contributed to the material weakness and our recommendations to correct them are as\n   follows:\n\n   \xef\x82\xb7   PBGC identified 65 common security controls for the 17 National Institute of Standards\n       and Technology (NIST) special publication (SP) 800-53, Recommended Security\n       Controls for Federal Information Systems, security control families. Of the 65 common\n       security controls tested by PBGC in FY 2008, only four controls were properly designed\n       and operating effectively. PBGC did not continue its implementation of common controls\n       in FY 2009 and FY 2010. Weaknesses in PBGC\xe2\x80\x99s infrastructure design and deployment\n       strategy for systems and applications adversely affected its ability to effectively\n       implement common security controls across its systems and applications. Without full\n       development and implementation, security controls are inadequate; responsibilities are\n       unclear, misunderstood, and improperly implemented; and controls are inconsistently\n       applied. Such conditions lead to insufficient protection of sensitive or critical resources or\n       disproportionately high expenditures for controls. Consequently, PBGC has not\n       completed and confirmed the design, implementation, and operating effectiveness of its\n       common security controls. Without testing control processes, management cannot have\n       confidence that the controls were implemented.\n\n\n\n                                                 3\n\x0c    Recommendations:\n\n    o   Effectively communicate to key decision makers the state of PBGC\xe2\x80\x99s IT infrastructure\n        and environment to facilitate the prioritization of resources to address fundamental\n        weaknesses. (OIG Control # FS-09-01)\n\n    o   Complete and confirm the design, implementation, and operating effectiveness of all\n        65 common security controls identified. (OIG Control # FS-08-01)\n\n    o   Develop a process to review and validate reported progress on the implementation of\n        the common security controls. Implement a strategy to test and document the\n        effectiveness of each new control implemented. (OIG Control # FS-09-02)\n\n\xef\x82\xb7   PBGC\xe2\x80\x99s process for the completion of C&A packages in accordance with NIST SP\n    800-37, Guide for the Security Certification and Accreditation of Federal Information\n    Systems, is ineffective. Fundamental weaknesses in PBGC\xe2\x80\x99s infrastructure architecture\n    and design do not support the C&A of its information systems. Furthermore, PBGC\xe2\x80\x99s\n    information systems employ obsolete and antiquated technologies that pose additional\n    risk to the availability of financially significant systems. PBGC abandoned its C&A\n    packages and is working with BPD to revise and strengthen its C&A process to ensure\n    security weaknesses are addressed at the root cause level. PBGC did not conduct\n    C&As in FY 2010. The Corporation has implemented a multi-year plan to correct its\n    C&As.\n\n    In FY 2009, PBGC asserted the completion of 13 C&A packages for its major\n    applications and general support systems. However, our review indentified significant\n    deficiencies in access controls and configuration management. PBGC\xe2\x80\x99s quality control\n    review of the C&A packages did not correct specific issues we identified in FY 2009. In\n    addition, PBGC\xe2\x80\x99s oversight of contractor performance during the C&A process was\n    inadequate. The C&A packages were deficient in their quality, accuracy, and\n    consistency.\n\n    Our review of the C&A packages noted the following quality control weaknesses, each of\n    which had been identified in our prior year audit:\n\n    -   Limited documentation of test results, a condition that prevented third-party\n        reviewers from re-performing, and thus validating, the tests.\n    -   Deficiencies not included in the Plan of Action and Milestones.\n    -   Documentation that did not support conclusions reached or test results.\n    -   Inconsistencies or apparent errors and/or omissions in work performed.\n    -   Information in the system boundaries section of the risk assessment conflicted with\n        the listing of external connections.\n    -   Minor applications identified in Security Control Worksheet, but not documented in\n        the Risk Assessment.\n\n    Without management oversight and accountability of contractor\xe2\x80\x99s performance,\n    management may accept work that does not meet Federal criteria. Such practices may\n    lead to fraud, waste, or abuse; and to insufficient protection of sensitive or critical\n    resources. In addition, projects may exceed approved budget if rework is required.\n    Without monitoring contractor performance and performing a quality review of\n    deliverables, management cannot have confidence in the work performed.\n\n\n                                           4\n\x0cPBGC did not provide an inventory of its major applications and general support systems\nin FY 2010. In FY 2009, management provided three conflicting inventory lists of major\napplications and general support systems. Some systems considered major on one\ninventory list, were considered minor on the others. We could not determine\nmanagement\xe2\x80\x99s assertion concerning the inventory of its major applications and general\nsupport systems. Because of the contradictory information provided, we could not\ndetermine which of these lists should be considered as management\xe2\x80\x99s assertion\nconcerning the inventory of its major applications and general support systems.\nTherefore, we could not determine which major applications and general support\nsystems require C&A.\n\nThe risk exists that systems could be certified, accredited, and receive an authorization\nto operate without the assurance that complete and accurate results are obtained in\nexecuting the C&A process. In addition, issues identified or missed because of\ninaccurate or incomplete work performed will impact the corrective action required along\nwith the resource commitment needed to complete the intended action. PBGC did not\nobtain a waiver from the OMB, allowing conditional authorization of its systems, as cited\nin OIG report Authorization to Operate PBGC Information Systems (AUD-2010-8 / IT-09-\n70), issued August 19, 2010.\n\nPBGC does not have reasonable assurance regarding the confidentiality, integrity, and\navailability of its information systems.\n\nRecommendations:\n\no   Develop and implement a well-designed security management program that will\n    provide security to the information and information systems that support the\n    operations and assets of the Corporation, including those managed by contractors or\n    other Federal agencies. (OIG Control # FS-09-03)\n\no   Complete the development and implementation of the redesign of PBGC\xe2\x80\x99s IT\n    infrastructure, and the procurement and implementation of technologies to support a\n    more coherent approach to providing information services and information system\n    management controls. (OIG Control # FS-09-04)\n\no   Implement an effective review process to validate the completion of the C&A\n    packages for all major applications and general support systems. The review should\n    not be performed by an individual associated with the performance of the C&A, or by\n    someone who could influence the results. This review should be completed for all\n    components of the work performed to ensure substantial documentation is available\n    that supports and validates the results obtained. (OIG Control # FS-08-02)\n\no   Ensure that adequate documentation is maintained which supports, substantiates,\n    and validates all results and conclusions reached in the C&A process.\n    (OIG Control # FS-09-05)\n\no   Establish and implement comprehensive procedures and document the roles and\n    responsibilities that ensure oversight and accountability in the certification and review\n    process. Retain evidence of oversight reviews and take action to address erroneous\n    or unsupported reports of progress. (OIG Control # FS-09-06)\n\n\n\n                                          5\n\x0c    o   Maintain an accurate and authoritative inventory list of major applications and\n        general support systems. Ensure the list is disseminated to responsible staff and\n        used consistently throughout PBGC Office of IT (OIT) operations. (OIG Control #\n        FS-09-07)\n\n    o   Implement an independent and effective review process to validate the completion of\n        the C&A packages for all applications and general support systems hosted on behalf\n        of PBGC by third party processors. The effective review should include examining\n        host and general controls risk assessments. (OIG Control # FS-08-03)\n\n    o   Implement robust and rigorous review procedures to verify that future contracts for\n        the C&A of PBGC\xe2\x80\x99s systems clearly outline expectations and deliverables in the\n        statement of work. (OIG Control # FS-09-08)\n\n    o   Implement a robust and rigorous quality review process to verify contractor C&A\n        deliverables meet the requirements specified in the statement of work. (OIG Control\n        # FS-09-09)\n\n    o   Establish controls to ensure that contract staff tasked with the C&A of PBGC\n        systems have the appropriate knowledge and background to accurately and\n        comprehensively complete the C&A process. (OIG Control # FS-09-10)\n\n    o   Implement a robust and rigorous process to verify compliance with PBGC\xe2\x80\x99s policy on\n        contractor management throughout the C&A lifecycle. (OIG Control # FS-09-11)\n\n\xef\x82\xb7   Information security policies and procedures were not fully disseminated and\n    implemented. PBGC is not able to effectively enforce compliance for Security\n    Awareness training. PBGC currently has a cumbersome and error-prone manual\n    process to account for personnel who had completed security awareness training. The\n    process is ineffective and limits PBGC\xe2\x80\x99s ability to ensure that all required personnel have\n    completed security awareness training. In FY 2009, PBGC developed role-based\n    training programs to disseminate its Information Assurance Handbook (IAH) policies and\n    procedures to information system owners (ISOs), system administrators, and project\n    managers. During our FY 2009 review, we noted that PBGC could not verify and validate\n    whether all required personnel had completed the Information Security Awareness\n    Training. Some project managers, ISOs and system administrators did not attend the\n    risk management role-based training. The Contingency Plan Specialist was not aware of\n    IAH guidance on required annual contingency training. Fifteen PBGC officials with\n    Continuity of Operations Program (COOP) responsibilities did not attend required annual\n    contingency training.\n\n    PBGC changed its approach for its CAP process by placing more emphasis on\n    correcting the root cause. This approach has resulted in completion dates being revised,\n    and a multi-year approach to correct weaknesses noted above. Management indicated,\n    in their CAP, that this finding would be remediated by September 30, 2011.\n\n    In the interim, lack of security awareness can lead to increased risk of security breaches\n    and exposure to fraud. Controls may not be placed in operation as mandated by PBGC\n    policies.\n\n\n\n\n                                             6\n\x0c    Recommendation:\n\n    o   Develop and implement a process to enforce the dissemination and awareness of\n        PBGC\xe2\x80\x99s security policies and procedures through adequate training. (OIG Control\n        # FS-07-04)\n\n\xef\x82\xb7   OIT and system owners (i.e. business owners) have not established and documented\n    service level agreements that include metrics on OIT services required to meet business\n    goals. PBGC is in the process of completing the development and distribution of\n    measurable services provided to the business owners by the OIT.\n\n    Recommendation:\n\n    o   Establish, document, and publish measurable services that OIT provides to the\n        Corporation, that are acceptable to all ISOs. (OIG Control # FS-07-06)\n\n\xef\x82\xb7   PBGC\xe2\x80\x99s benefit payments service provider (service provider) implemented a security\n    operations center (SOC) outside of the United States (US), which will have some\n    responsibility for monitoring security related events associated with the Pension Lump\n    Sum (PLUS) application and components of its system boundary. The service provider\n    did not provide PBGC with adequate advance notice to assess the security impact to the\n    PLUS application on the change in environment before going operational. Furthermore,\n    PBGC was not provided adequate time to assess risks to its systems and implement\n    mitigating controls to ensure compliance with the PBGC\xe2\x80\x99s policies and procedures. As a\n    result, PBGC has not assessed the security impact of the change in environment.\n\n    Recommendation:\n\n    o   Develop and implement an immediate plan of action to address the potential security\n        risk posed by locating the Security Operations Center outside of the US.\n        (OIG Control # FS-10-01)\n\n    o   Review PBGC contracts to ensure contractors are required to comply with PBGC\n        information security standards and FISMA. (OIG Control #FS-10-02)\n\n\xef\x82\xb7   PBGC has not executed an interconnection security agreement (ISA) or memorandum of\n    understanding (MOU) between external organizations whose systems interconnect with\n    PBGC\xe2\x80\x99s systems.\n\n    PBGC is in the process of planning and documenting security agreements for\n    interconnection with external organizations\xe2\x80\x99 systems. In the absence of an ISA and\n    MOU, either party (PBGC or external system owner) may be unfamiliar with the technical\n    requirements of the interconnection and details that may be required to provide an\n    overall security for systems that are interconnected.\n\n    Recommendation:\n\n    o   Develop and implement an ISA and MOU with external organizations whose systems\n        connect to PBGC\xe2\x80\x99s systems. (OIG Control # FS-10-03)\n\n\n\n\n                                           7\n\x0c2. Access Controls and Configuration Management\n\n   Although access controls and configuration management controls are an integral part of an\n   effective information security management program, access controls remain a systemic\n   problem throughout PBGC. PBGC\xe2\x80\x99s decentralized approach to system development, system\n   deployments, and configuration management created an environment that lacks a cohesive\n   structure in which to implement controls and best practices. Weaknesses in the IT\n   environment contributed significantly to deficiencies in system configuration, segregation of\n   duties, role-based access controls, and monitoring. Furthermore, PBGC\xe2\x80\x99s information\n   systems are overlapping and duplicative, employing obsolete and antiquated technologies\n   that are costly to maintain. The state of PBGC\xe2\x80\x99s IT environment led to increased IT staffing\n   needs, manual workarounds, reconciliations, extensive manipulation, and excessive manual\n   processing that have been ineffective in providing adequate compensating controls to\n   mitigate system control weaknesses. For example, the Financial Reporting and Account\n   Analysis Group manually records present value of future benefits liabilities for single\n   employer and multiemployer programs in the Consolidated Financial System (CFS), and the\n   Financial Operations Department manually records Premium Income, Premium\n   Receivables, and Unearned Premiums in CFS.\n\n   Access controls should be in place to consistently limit, detect inappropriate access to\n   computer resources (data, equipment, and facilities), or monitor access to computer\n   programs, data, equipment, and facilities. These controls protect against unauthorized\n   modification, disclosure, loss, or impairment. Such controls include both logical and physical\n   security controls to ensure that Federal employees and contractors will be given only the\n   access privileges necessary to perform business functions. Federal Information Processing\n   Standards Publication (FIPS PUB) 200, Minimum Security Requirements for Federal\n   Information and Information Systems, specifies minimum access controls for Federal\n   systems. FIPS PUB 200 requires PBGC\xe2\x80\x99s ISOs to limit information system access to\n   authorized users.\n\n   Industry best practices, NIST SP 800-64, Security Considerations in the System\n   Development Life Cycle, and other Federal guidance recognize the importance of\n   configuration management when developing and maintaining a system or network. Through\n   configuration management, the composition of a system is formally defined and tracked to\n   ensure that an unauthorized change is not introduced. Changes to an information system\n   can have a significant impact on the security of the system. Documenting information\n   system changes and assessing the potential impact on the security of the system, on an\n   ongoing basis, is an essential aspect of maintaining the security posture. An effective entity-\n   wide configuration management and control policy and associated procedures are essential\n   to ensuring adequate consideration of the potential security impact of specific changes to an\n   information system. Configuration management and control procedures are critical to\n   establishing an initial baseline of hardware, software, and firmware components for the\n   entity and subsequently controlling and maintaining an accurate inventory of any changes to\n   the system.\n\n   Inappropriate access and configuration management controls do not provide PBGC with\n   sufficient assurance that financial information and financial assets are adequately\n   safeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or\n   destruction.\n\n\n\n\n                                               8\n\x0cPBGC management realizes these weaknesses will continue to pose a threat to its\nenvironment for several years while corrective actions are being implemented. PBGC\ndeveloped a CAP that is a three to five year holistic approach starting in FY 2010. The CAP\nhas been broken into several process families to address the underlying root causes of the\nfindings. The specific weaknesses we continued to find that contributed to the material\nweakness and our recommendations to correct them are as follows:\n\n\xef\x82\xb7   PBGC\xe2\x80\x99s configuration management controls are labor intensive and ineffective.\n    Weaknesses in the design of PBGC\xe2\x80\x99s infrastructure and deployment strategy for\n    systems and applications created an environment where strong technical controls and\n    best practices cannot be effectively implemented. Configuration management controls\n    are therefore not consistently implemented across PBGC\xe2\x80\x99s general support systems.\n    PBGC\xe2\x80\x99s three IT environments (development, test, and production) do not share\n    common server configurations; therefore, management cannot rely on results obtained\n    in the development or test environments prior to deployment in production. Overall, the\n    PBGC environment suffers from inadequate configuration, roles, privileges, logging,\n    monitoring, file permissions, and operating system access.\n\n    PBGC\xe2\x80\x99s infrastructure does not adequately segregate the production, development and\n    testing environments. The current environment does not provide adequate controls in\n    which to implement an effective application development and change control program.\n\n    Significant weaknesses noted in configuration management continued in FY 2010,\n    include the following:\n    \xef\x80\xad Sensitive program scripts and utilities, open directories, and unsafe services\n        accounts were not restricted.\n    \xef\x80\xad Unnecessary network services and duplicate groups with privileged system access\n        were not removed.\n    \xef\x80\xad Baseline security reports were not being created and reviewed.\n    \xef\x80\xad Inappropriate configuration/ownership of critical files, directories, and permissions.\n    \xef\x80\xad The root account could be logged into from multiple virtual consoles.\n    \xef\x80\xad The method in which database replication was taking place from headquarters to the\n        COOP installation is lacking in functionality and completeness, and would require a\n        significant amount of subject matter expert manual intervention to failback, in the\n        event of an actual system failure.\n    \xef\x80\xad Developers had access to sensitive information in production by having direct\n        development access to production systems via a database link.\n    \xef\x80\xad Development and test databases have database links directly connected to the\n        production database. This configuration of database links produces an inefficient,\n        difficult to manage, non-scalable Oracle database solution.\n    \xef\x80\xad The IT System Life Cycle Methodology is not consistently implemented across all\n        projects within PBGC. We reviewed the Product Quality Assurance audit summary of\n        the HP Service Manager 7 software implementation and noted that various critical\n        components were lacking such as:\n        o Weaknesses noted in the approval, configuration management and change\n             control processes.\n        o Failure to obtain approval signatures on key documents and test artifacts.\n        o Incomplete Requirements Traceability Matrix (RTM).\n        o Failure to update the RTM resulting in lack of traceability between the\n             requirements and the test cases.\n\n\n                                           9\n\x0c        o   Lack of evidence that key test activities were conducted in the test environment\n            as planned.\n    \xef\x80\xad   Backout plans for reversing system changes in case of an unexpected situation are\n        not consistently documented.\n\n    Controls are not in place to ensure adequate consideration of the potential security\n    impacts due to specific changes to an information system or its surrounding\n    environment. PBGC is exposed to increased risk of data modification or deletion.\n    Unauthorized changes could occur undetected. Applications and critical business\n    processes may not be restored in a timely manner in the event of a true disaster.\n\n    Recommendations:\n\n    o   Develop and implement procedures and processes for the consistent implementation\n        of common configuration management controls to minimize security weaknesses in\n        general support systems. (OIG Control # FS-07-07)\n\n    o   Develop and implement a coherent strategy for correcting IT infrastructure\n        deficiencies and a framework for implementing common security controls, and\n        mitigating the systemic issues related to access control by strengthening system\n        configurations and user account management for all of PBGC\xe2\x80\x99s information systems.\n        (OIG Control # FS-09-12)\n\n    o   Establish baseline configuration standards for all of PBGC\xe2\x80\x99s systems. (OIG Control\n        # FS-09-13)\n\n    o   Review configuration settings and document any discrepancies from the PBGC\n        configuration baseline. Develop and implement corrective actions for systems that do\n        not meet PBGC\xe2\x80\x99s configuration standards. (OIG Control # FS-09-14)\n\n    o   Ensure test, development and production databases are appropriately segregated to\n        protect sensitive information and fully utilized to increase system performance.\n        (OIG Control # FS-09-15)\n\n    o   Establish interim procedures to implement available compensating controls (such as\n        establishing a test team to verify developer changes in production) until a\n        comprehensive solution to adequately segregate test, development and production\n        databases can be implemented. (OIG Control # FS-09-16)\n\n\xef\x82\xb7   PBGC\xe2\x80\x99s policies and practices have not effectively restricted the addition of unnecessary\n    and generic accounts to systems in production. Consequently, the number of\n    unnecessary and generic accounts grew over the years. PBGC management has not\n    determined if the removal of all legacy generic accounts would disrupt production\n    activities.\n\n    Failure to identify and remove unnecessary accounts from the system could result in\n    PBGC\xe2\x80\x99s       systems     being     at    an     increased     risk     for   unauthorized\n    access/modification/deletion of sensitive system and/or participant information.\n\n    Recommendation:\n\n\n\n                                           10\n\x0c    o   Continue to remove unnecessary user and/or generic accounts. (OIG Control # FS-\n        07-08)\n\xef\x82\xb7   Controls are not consistently implemented to appropriately segregate duties and grant\n    rights and privileges commensurate with the job functions and responsibilities. PBGC\n    does not have a coherent strategy for enforcing segregation of duties through strong\n    technical controls in its applications and general support systems. PBGC\xe2\x80\x99s decentralized\n    approach to system development and configuration management has exacerbated\n    inconsistency and control weaknesses in implementing strong technical controls to\n    enforce segregation of incompatible duties.\n\n    Incompatible duties and improper password management increase the potential risk of\n    fraud, errors and ommissions.\n\n    Recommendations:\n\n    o   Consistently implement controls to appropriately segregate duties and grant rights\n        and privileges commensurate with the job functions and responsibilities.\n        (OIG Control # FS-07-09)\n\n    o   Assess the risk associated with lacking segregation of duties, password\n        management, and overall inadequate system configuration. Discuss risk with system\n        owners and implement compensating controls wherever possible. If compensating\n        controls cannot be implemented the system owner should sign-off indicating risk\n        acceptance. (OIG Control # FS-09-17)\n\n\xef\x82\xb7   Developers have access to the production environment, which exposes PBGC to the risk\n    of unauthorized modification of the application, the circumvention of critical controls, and\n    unnecessary access to sensitive data. Weaknesses in the design of PBGC\xe2\x80\x99s\n    infrastructure and deployment strategy for legacy systems and applications created an\n    environment where developers have unrestricted access to production. PBGC has not\n    developed and implemented adequate compensating controls to restrict developer\xe2\x80\x99s\n    access to production. PBGC has not fully resolved infrastructure design issues, nor have\n    they developed and implemented a coherent program to manage and maintain legacy\n    applications.\n\n    Failure to appropriately restrict privileged access to the production environment could\n    result in unauthorized access/modification/deletion to sensitive system and/or participant\n    information and the release of harmful code into the production environment.\n\n    Recommendations:\n\n    o   Appropriately restrict developers\xe2\x80\x99 access to production environment to only\n        temporary emergency access. (OIG Control # FS-07-10)\n\n    o   Assess developers\xe2\x80\x99 access to production on all PBGC systems and determine if\n        access is required based on the security principles \xe2\x80\x9cneed to know and least\n        privilege\xe2\x80\x9d. If developers require access to a specific application, the reason should be\n        documented and management should sign-off indicating acceptance of the risk(s). In\n        all other instances developer access to production should be immediately removed.\n        (OIG Control # FS-09-18)\n\n\n\n                                            11\n\x0c\xef\x82\xb7   Controls are not consistently applied to ensure that authentication parameters for\n    general support systems (e.g. Novell, Windows, SUN Solaris, Oracle, etc.) and\n    applications comply with the IAH. PBGC\xe2\x80\x99s decentralized approach to system\n    development and configuration management has made it particularly difficult to\n    implement consistent technical controls across PBGC\xe2\x80\x99s many systems, platforms, and\n    applications.\n\n    Failure to follow secure build standards and reassign or remove unowned user files\n    provides internal and external attackers additional paths into PBGC\xe2\x80\x99s systems and could\n    result in an increased risk of unauthorized access, modification, or deletion of sensitive\n    system and participant information. These control weaknesses increase the risk for\n    fraud, waste and abuse.\n\n    Recommendations:\n\n    o   Consistently apply controls to ensure that authentication parameters for PBGC\xe2\x80\x99s\n        general support systems (e.g. Novell, Windows, Sun Solaris, Oracle, etc.) and\n        applications comply with the IAH. (OIG Control # FS-07-11)\n\n    o   Implement a manual review process whereby OIT periodically reviews systems for\n        compliance with baseline settings. (OIG Control # FS-09-19)\n\n\xef\x82\xb7   PBGC is still in the process of identifying dependencies between databases,\n    applications, and operating systems in order to fully implement controls to lock out and\n    remove inactive and dormant accounts. However, there are still some PBGC systems\n    that have not implemented these controls. PBGC\xe2\x80\x99s configuration management\n    weaknesses have contributed significantly to its inability to effectively implement controls\n    to ensure the consistent removal and locking out of generic or dormant accounts.\n\n    Without full development and implementation of security controls, the lack of an effective\n    policy addressing lock out, inactive accounts, and dormant accounts provides another\n    control weakness that could be exploited and compromise the integrity, confidentiality\n    and availability of PBGC\xe2\x80\x99s systems and applications.\n\n    Recommendation:\n\n    o   For the remaining systems, apply controls to lock out and remove inactive and\n        dormant accounts after a specified period in accordance with the IAH. (OIG Control\n        # FS-07-12)\n\n\xef\x82\xb7   The OIT recertification process is incomplete and only addresses generic and service\n    accounts; it does not include all user and system accounts. In addition, the\n    Recertification of User Access Process, version 1.2, does not explicitly state that all\n    accounts (e.g. user, system, and service) across all platforms and applications will be re-\n    certified annually. PBGC\xe2\x80\x99s infrastructure design and configuration management\n    weaknesses have contributed significantly to its inability to effectively implement controls\n    to recertify all user and system accounts.\n\n\n\n\n                                            12\n\x0c    Unauthorized users could gain access to PBGC\xe2\x80\x99s data and personally identifiable\n    information (PII). Without periodic recertification of accounts (user, generic, service and\n    system) management does not have adequate assurance that only current authorized\n    users have access to PBGC resources.\n    Recommendation:\n\n    o   Complete the implementation of the recertification process for all user and system\n        accounts. Continue to perform annual recertification and include all PBGC\xe2\x80\x99s\n        accounts (e.g. user, generic, service, and systems accounts) for general support\n        systems and major applications. (OIG Control # FS-07-13)\n\n\xef\x82\xb7   Vulnerabilities found in key databases and applications include weaknesses in\n    configuration, roles, privileges, auditing, file permissions, and operating system access.\n    These PBGC system vulnerabilities are caused by an ineffective deployment strategy in\n    the development, test, and production environments. Ineffective system deployments\n    have resulted in an environment that is in disarray.\n\n    Security control weaknesses and vulnerabilities in key databases were not mitigated,\n    and adversely impacted the security and integrity of PBGC\xe2\x80\x99s development, test, and\n    production environments. PBGC is exposed to increased risk of data modification or\n    deletion. Unauthorized changes could occur, undetected.\n\n    Recommendations:\n\n    o   Implement controls to remedy vulnerabilities noted in key databases and applications\n        such as weaknesses in configuration, roles, privileges, auditing, file permissions, and\n        operating system access. (OIG Control # FS-07-14)\n\n    o   Implement controls to remedy weaknesses in the deployment of servers,\n        applications, and databases in the development, test, and production environments.\n        (OIG Control # FS-09-20)\n\n\xef\x82\xb7   Access request authorizations were not appropriately documented. PBGC has not fully\n    implemented controls to ensure Enterprise Local Area Network forms are properly\n    documented and maintained.\n\n    Failure to ensure proper authorization may expose PBGC\xe2\x80\x99s systems to inadequate\n    segregation of incompatible duties and unauthorized users having access to PBGC data\n    and PII.\n\n    Recommendation:\n\n    o   Ensure that adequate documentation of access authorization is maintained by\n        implementing proper monitoring and enforcement measures in compliance with\n        approved policies and procedures. (OIG Control # FS-07-15)\n\n\xef\x82\xb7   PBGC lacks an effective process to track contractors throughout their employment at\n    PBGC, including appropriate notifications of start dates and separation. Management\n    reported that policies and procedures, to include PBGC directive PM 05-1, PBGC\n    Entrance on Duty and Separation Procedures for Federal and Contract Employees, have\n\n\n\n                                            13\n\x0c    not been updated to provide effective enforcement of controls designed to track entrance\n    and separation of all Federal and contract employees.\n\n    Without full development and implementation, security controls are inadequate to\n    prevent contractors from having unauthorized access to PBGC\xe2\x80\x99s systems, applications,\n    and facilities.\n\n    Recommendations:\n\n    o   Update and enforce directive PM 05-1, PBGC Entrance on Duty and Separation\n        Procedures for Federal and Contract Employees, to ensure contract personnel can\n        be tracked effectively. Also, ensure a formal Entrance on Duty and Separation\n        Clearance process is followed. (OIG Control # FS-07-16)\n\n\xef\x82\xb7   Periodic logging and monitoring of security-related events for PBGC\xe2\x80\x99s applications were\n    inadequate for CFS, PAS, Trust Accounting System (TAS), Participant Records\n    Information Systems Management (PRISM), and Integrated Present Value of Future\n    Benefits (IPVFB) systems. PBGC\xe2\x80\x99s IT infrastructure consist of multiple legacy systems\n    and applications (e.g. PAS, TAS, IPVFB, PRISM, GENESIS database, Solaris 8, Oracle\n    8i, Novell NetWare 5.1, Windows NT, etc.) that do not have a coherent architecture for\n    management and security.\n\n    Controls are not in place to ensure adequate consideration of the potential security\n    impacts due to specific changes to an information system or its surrounding\n    environment. PBGC is exposed to increased risk of data modification or deletion.\n    Unauthorized changes could occur, undetected.\n\n    Recommendation:\n\n    o   Implement a logging and monitoring process for application security related events\n        and critical system modifications (e.g. CFS, PAS, TAS, PRISM, and IPVFB).\n        (OIG Control # FS-07-17)\n\n\xef\x82\xb7   The application virtualization/application delivery product Citrix MetaFrame Presentation\n    Server used by PBGC\xe2\x80\x99s benefit payments service provider to connect to its benefit\n    payments system, PLUS, reached its end of life date on December 31, 2009. PBGC did\n    not include the Citrix MetaFrame Presentation Server in the system boundary when\n    conducting the C&A of the PLUS application. Although continuous monitoring was\n    implemented, no alerts were provided to PBGC about the application\n    virtualization/application becoming obsolete and the potential security risk to PLUS.\n    Obsolete software may expose PBGC\xe2\x80\x99s infrastructure to a security-related vulnerability.\n    PBGC is exposed to increased risk of data modification or deletion. Unauthorized\n    changes could occur undetected.\n\n    Recommendation:\n\n    o   Replace the Citrix MetaFrame presentation server. (OIG Control #FS-10-04)\n\n\n\n\n                                           14\n\x0c       o   Include the application virtualization/application delivery product used by the benefits\n           payments service provider to access the PLUS application in the system boundary.\n           (OIG Control # FS-10-05)\n\n   \xef\x82\xb7   The TeamConnect application, which replaced the Lotus Notes system in FY 2010,\n       maintains a nightly premium output batch file error log in a .txt file format, which can be\n       edited. Management has not locked down the TeamConnect output file from\n       manipulation. Because the exception log data can be manipulated, the Actuarial\n       database into which the data is being transferred, may be compromised or corrupted.\n       Unresolved inaccuracies between the Corporate Data Management System and the\n       Actuarial Database could result in errors in the amount of contingent liabilities recorded\n       and disclosed in the financial statement.\n\n       Recommendation:\n\n       o   Configure TeamConnect to ensure the integrity of the nightly premium output batch\n           file error log. (OIG Control # FS-10-06)\n\n3. Integrated Financial Management Systems\n\n   The risk of inaccurate, inconsistent, and redundant data is increased because PBGC lacks a\n   single integrated financial management system. The current system cannot be readily\n   accessed and used by financial and program managers without extensive manipulation,\n   excessive manual processing, and inefficient balancing of reports to reconcile\n   disbursements, collections, and general ledger data.\n\n   OMB Circular A-127, Financial Management Systems, requires that Federal financial\n   management systems be designed to provide for effective and efficient interrelationships\n   between software, hardware, personnel, procedures, controls, and data contained within the\n   systems. This Circular states:\n\n       The term "single, integrated financial management system" means a unified set of\n       financial systems and the financial portions of mixed systems encompassing the\n       software, hardware, personnel, processes (manual and automated), procedures,\n       controls and data necessary to carry out financial management functions, manage\n       financial operations of the agency and report on the agency\'s financial status to central\n       agencies, Congress and the public. Unified means that the systems are planned for and\n       managed together, operated in an integrated fashion, and linked together electronically\n       in an efficient and effective manner to provide agency-wide financial system support\n       necessary to carry out the agency\'s mission and support the agency\'s financial\n       management needs.\n\n   OMB\xe2\x80\x99s Office of Federal Financial Management, formerly the Joint Financial Management\n   Improvement Program, \xe2\x80\x9cCore Financial System Requirements\xe2\x80\x9d document, lists the following\n   integrated financial management system attributes:\n\n   \xef\x82\xb7   Standard data classifications (definition and formats) established and used for recording\n       financial events.\n   \xef\x82\xb7   Common processes used for processing similar kinds of transactions.\n\n\n\n\n                                               15\n\x0c\xef\x82\xb7   Internal controls over data entry, transaction processing, and reporting that are applied\n    consistently.\n\xef\x82\xb7   A system design that eliminates unnecessary duplication of transaction entry.\n\nBecause PBGC has not integrated its financial systems, PBGC\xe2\x80\x99s ability to accurately and\nefficiently accumulate and summarize information required for internal and external financial\nreporting is impacted. Many of the weaknesses included in this report were reported in prior\nyears. The specific weaknesses we found that contributed to the material weakness and our\nrecommendations to correct them are as follows:\n\nLack of standard data classifications and common data elements:\n\n\xef\x82\xb7   PBGC continues to work towards a logical database model (Enterprise Data Model\n    (EDM). Elements of the EDM include the general ledger, purchases, portfolio\n    management, payroll, investment management, financial institutions, budgeting,\n    accounts receivable, and accounts payable. Until the development and implementation\n    of the EDM is complete, the current systems have no centralized data catalog defining\n    data elements or a common data access method available for current databases.\n\xef\x82\xb7   The current decentralized database structure may lead to erroneous financial and\n    participant data. For example, the same data elements are required to be reformatted or\n    are used for different purposes across PBGC\'s various applications.\n\xef\x82\xb7   The current decentralized database structure may lead to outdated financial or\n    participant data. Because participant data must be reformatted and distributed to\n    multiple PBGC systems, users may be relying on outdated information to make business\n    decisions.\n\nDuplication of transaction entry:\n\n\xef\x82\xb7   Probable and multi-employer plan data initially entered into IPVFB must be manually\n    re-entered into a spreadsheet and then manually entered into CFS as adjusting journal\n    entries.\n\xef\x82\xb7   Plan data initially entered into the Case Management System application must be\n    re-entered into the TAS application\'s portfolio header.\n\xef\x82\xb7   Plan contingency listings are determined using data extracted from PAS. However, plans\n    with multiple filings must be manually aggregated before the plans can be classified.\n\xef\x82\xb7   Plan sponsor data address information must be manually entered into CFS to process\n    refunds.\n\nObsolete and antiquated technologies:\n\nPBGC\xe2\x80\x99s information systems employ obsolete and antiquated technologies that pose\nadditional risk to the availability of financially significant systems. These technologies are\nunsupported and add to the challenges to integrate PBGC\xe2\x80\x99s systems in an IT infrastructure\nthat lacks a cohesive architecture and design.\n\nA Federal agency\xe2\x80\x99s ability to effectively and efficiently maintain and modernize its existing IT\nenvironment depends primarily on how well it employs certain IT management controls that\nare embodied in statutory requirements, Federal guidance, and best practices. Among other\nthings, these controls include strategic planning and performance measurement, portfolio-\nbased investment management, human capital management, enterprise architecture (and\n\n\n\n                                            16\n\x0c   supporting segment architecture) development           and    use,   and     responsibility   and\n   accountability for modernization management.\n\n   If managed effectively, IT investments can have a dramatic impact on an organization\xe2\x80\x99s\n   performance and accountability. If not correctly managed, they can result in wasteful\n   spending and lost opportunities for achieving mission goals and improving mission\n   performance. PBGC had several false starts in modernizing its systems and applications\n   that have either been abandoned, such as the suspension of work on the PPS to replace\n   PAS, or have been ineffective in leading to the integration of its financially significant\n   systems. Unless PBGC develops and implements a well designed IT architecture and\n   infrastructure to guide and constrain modernization projects, it risks investing time and\n   resources in systems that do not reflect the Corporation\xe2\x80\x99s priorities, are not well integrated,\n   are potentially duplicative, and do not optimally support mission operations and\n   performance.\n\n   To its credit, PBGC began to develop an overall strategy, but much work remains before the\n   strategy can be completed and implemented. Steps PBGC has taken include the following:\n\n   1. PBGC identified all systems that provide data required to prepare the financial\n      statements.\n   2. PBGC substantially completed the logical database model including standard data\n      definitions and formats to be used throughout the Corporation.\n   3. PBGC completed alternative analysis studies for Premium Accounting and CFS.\n\nMajor work remains to be completed to set the foundation for an integrated financial\nmanagement system, including the development and implementation of new IT system\nsolutions/functions in accordance with the Financial Management Segment Architecture and\nstrategic system plan.\n\n       Recommendation:\n\n       o   PBGC needs to develop and execute a plan to integrate its financial management\n           systems in accordance with OMB Circular A-127. (OIG Control # FS-07-18)\n\nThe internal control report recommendations status is presented in Exhibit I.\n\nThis report is intended for the information and use of the management and Inspector General of\nPBGC and is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\n\xef\x81\xa1\xef\x80\xb1\xef\x80\xa0\nCalverton, Maryland\nNovember 12, 2010\n\n\n\n\n                                               17\n\x0c            EXHIBIT I - Status of Internal Control Report Recommendations\n                                          \xef\x80\xa0\nPrior Year Internal Control Report Recommendations Closed During FY 2010:\n\nRecommendation       Date Closed              Original Report Number\nNone\n\nOpen Recommendations as of September 30, 2010:\n\nRecommendation              Report\nPrior Years\'\n FS-07-04                    2008-2/FA-0034-2\n FS-07-06                    2008-2/FA-0034-2\n FS-07-07                    2008-2/FA-0034-2\n FS-07-08                    2008-2/FA-0034-2\n FS-07-09                    2008-2/FA-0034-2\n FS-07-10                    2008-2/FA-0034-2\n FS-07-11                    2008-2/FA-0034-2\n FS-07-12                    2008-2/FA-0034-2\n FS-07-13                    2008-2/FA-0034-2\n FS-07-14                    2008-2/FA-0034-2\n FS-07-15                    2008-2/FA-0034-2\n FS-07-16                    2008-2/FA-0034-2\n FS-07-17                    2008-2/FA-0034-2\n FS-07-18                    2008-2/FA-0034-2\n FS-08-01                    AUD-2009-2/FA-08-49-2\n FS-08-02                    AUD-2009-2/FA-08-49-2\n FS-08-03                    AUD-2009-2/FA-08-49-2\n FS-09-01                    AUD-2010-2/FA-09-64-2\n FS-09-02                    AUD-2010-2/FA-09-64-2\n FS-09-03                    AUD-2010-2/FA-09-64-2\n FS-09-04                    AUD-2010-2/FA-09-64-2\n FS-09-05                    AUD-2010-2/FA-09-64-2\n FS-09-06                    AUD-2010-2/FA-09-64-2\n FS-09-07                    AUD-2010-2/FA-09-64-2\n FS-09-08                    AUD-2010-2/FA-09-64-2\n FS-09-09                    AUD-2010-2/FA-09-64-2\n FS-09-10                    AUD-2010-2/FA-09-64-2\n FS-09-11                    AUD-2010-2/FA-09-64-2\n FS-09-12                    AUD-2010-2/FA-09-64-2\n FS-09-13                    AUD-2010-2/FA-09-64-2\n FS-09-14                    AUD-2010-2/FA-09-64-2\n FS-09-15                    AUD-2010-2/FA-09-64-2\n FS-09-16                    AUD-2010-2/FA-09-64-2\n FS-09-17                    AUD-2010-2/FA-09-64-2\n FS-09-18                    AUD-2010-2/FA-09-64-2\n FS-09-19                    AUD-2010-2/FA-09-64-2\n FS-09-20                    AUD-2010-2/FA-09-64-2\n\n\n\n                                         18\n\x0c            EXHIBIT I - Status of Internal Control Report Recommendations\n                                           \xef\x80\xa0\n\nFY Ended September 30, 2010\nFS-10-01                      AUD-2011-3/FA-10-69-2\nFS-10-02                      AUD-2011-3/FA-10-69-2\nFS-10-03                      AUD-2011-3/FA-10-69-2\nFS-10-04                      AUD-2011-3/FA-10-69-2\nFS-10-05                      AUD-2011-3/FA-10-69-2\nFS-10-06                      AUD-2011-3/FA-10-69-2\n\n\n\n\n                                          19\n\x0c   Report on Internal Controls Related to the\n    Pension Benefit Guaranty Corporation\xe2\x80\x99s\nFiscal Year 2010 and 2009 Financial Statements\n\n\n\n    Audit Report AUD-2011-3 / FA-10-69-2\n\n\n\n\n                 Section II\n\n        Management Comments\n\x0c                                 Pension Benefit Guaranty Corporation \n\nProtectIng Am.,I...\xe2\x80\xa2\xe2\x80\xa2 Pen.ion.   1200 K Street. N.W.\xe2\x80\xa2 Washington. D.C. 20005-4026\n\n\n    Office of the Director\n\n\n\n\n                                                      MEMORANDUM\n\n               November 8, 2010\n\n               To: \t               Rebecca Anne Batts \n\n                                   Inspector General \n\n\n               From: \t             Josh Gotbaum y~            \n\n                                   Director    r ~(       \n\n\n               Subject: \t          Response to the Office ofInspector General\'s (OIG\'s) Draft\n                                   Report on Internal Control for FY 20 10\n\n\n               Thank you for the opportunity to respond to the subject draft report. PBGC is committed\n               to addressing the recommendations contained in this report and to remediating the\n               associated material weakness. We agree with the 43 recommendations in the draft\n               special report on internal control. Of these, 37 recommendations remain open from prior\n               audit findings with which management has already agreed. We also agree with the six\n               new recommendations.\n\n               We have provided our responses to each recommendation below, and we will be updating\n               our corrective action plans in the near future . We will keep your office informed as we\n               move forward.\n\n               Entity-wide Security Program Planning and Management\n\n               1.     Recommendation: Effectively communicate to key decision makers the state of\n               PBGC\'s IT infrastructure and environment to facilitate the prioritization of resources to\n               address fundamental weaknesses. (OIG Control Number FS-09-01)\n\n               Response: Management agrees. To address this and other prior year findings, PBGC\n               developed a CAP that is a three- to five-year holistic approach. The CAP project\n               represented a collaborative effort of subject matter experts from across OIT. The\n               resulting plan used NIST 800-53 as a framework.\n\n               The CAP has been broken into several process families to address the underlying, root\n               causes of the findings. These recommendations will primarily be addressed as we rebuild\n               our IT Security Program. We expect to make progress each year toward the overall CAP,\n               while adjusting schedules as necessary. PBGC will be communicating the progress and\n                                                                  1\n\n\x0cany schedule adjustments to       on a regular basis, providing transparency of the overall\n\n\n2.     Recommendation: Complete and confirm the       implementation, and\noperating          of all common security controls identified. (OIG Control\nNumber FS-08-01)\n\n             Management           Please see response to           , above. In addition, please\nnote that, as we        our             Program,     list           65 common controls\n          If     do, we will document                to                  our work      to provide\n    with an audit traiL\n\n3.     Recommendation: Develop a            to review and validate reported progress\non    implementation of the common security controls. Implement a           to test and\ndocument    effectiveness each new           implemented. (OIG Control Number\nFS-09-02)\n\nResponse: Management agrees. Please see the response to Recommendation                   above.\n\n4. \t  Recommendation: Develop and implement a well-designed security\n             program that will provide security to the information and information\n       that support     operations and assets of the Corporation, including those\nmanaged     contractors or other Federal            (OIG Control Number FS-09-03)\n\nResponse: Management              Please see response to Recommendation # 1,\n\n       Recommendation: Complete the development and implementation of the\n                        infrastructure and the           and                of\n             to support a more coherent          to providing          "pr\\l1f"~" and\n\ninformation system                          (OIG Control Number FS-09-04)\n\nResponse: Management \t                   see          response to Recommendation # 1, above.\n\n6.     Recommendation: Implement an                 review          to validate\ncompletion of the certification and accreditation         for all major applications and\n        support systems.              should not    performed by an individual\nassociated with the performance of      C&A or by someone who could influence\n        This review should be completed for all components of the work performed to\nensure substantial documentation is available     supports and            the\nobtained. (OIG Control Number FS-08-02)\n\nResponse: \t                              see "\'\'\'\'\'\'\',",{"\\M   to Recommendation # 1, above.\n\n       Recommendation:        that adequate documentation is maintained which\nsupports,            and        all                      reached in\nprocess. (OIG Control Number FS-09-05)\n\n\n                                               2\n\n\x0cResponse: Management agrees. Please see response to Recommendation # 1, above.\n\nS.      Recommendation: Establish and implement comprehensive procedures and\ndocument the roles and responsibilities that ensure oversight and accountability in the\ncertification and review process. Retain evidence of oversight reviews and take action to\naddress erroneous or unsupported reports of progress. (OIG Control Number FS-09\xc2\xad\n06)\n\nResponse: Management agrees. Please see response to Recommendation #1 , above.\n\n9.      Recommendation: Maintain an accurate and authoritative inventory list of major\napplications and general support systems. Ensure the list is disseminated to responsible\nstaff and used consistently throughout PBOC OIT operations. (OIG Control Number\nFS-09-07)\n\nResponse: Management agrees . Please see the response to Recommendation # 1, above.\n\n10.     Recommendation: Implement an independent and effective review process to\nvalidate the completion of C&A packages for all applications and general support\nsystems hosted on behalf of PBOC by third party processors. The effective review\nshould include examining host and general controls risk assessments. (OIG Control\nNumber FS-OS-03)\n\nResponse: Management agrees. Please see response to Recommendation # 1, above.\n\n11.     Recommendation: Implement robust and rigorous review procedures to verify\nthat future contracts for the C&A of PBOC\'s systems clearly outline expectations and\ndeliverables in the statement of work. (OIG Control Number FS-09-0S)\n\nResponse: Management agrees. Please see response to Recommendation # 1, above.\n\n12.     Recommendation: Implement a robust and rigorous quality review process to\nverify contractor C&A deliverables meet the requirements specified in the statement of\nwork. (OIG Control Number FS-09-09)\n\nResponse: Management agrees. Please see the response to Recommendation #1, above.\n\n13.   Recommendation: Establish controls to ensure that contract staff tasked with the\nC&A of PBOC systems have the appropriate knowledge and background to accurately\nand comprehensively complete the C&A process . (OIG Control Number FS-09-10)\n\nResponse: Management agrees. Please see the response to Recommendation # 1, above.\n\n\n\n\n                                            3\n\n\x0c14.     Recommendation: Implement a robust and rigorous process to\ncompliance with         policy on contractor management throughout the C&A\nlifecycle. (OIG Control Number FS-09-11)\n\nResponse: Management \t                     see the 1""<"\'r.r....\'   to Recommendation # 1,\n\n        Recommendation: Develop and implement a"""""\'\'"\'\'\'\'\'\'\'\n                and awareness of            security                              through\n                     (OIG Control Number FS-07-04)\n\nResponse: Management agrees. We have already initiated steps to address this\nrecommendation. We           engaged in a     of Business offering by the {j          of\nPersonnel Management (OPM) to             information security and privacy awareness.\nWe plan to implement computer-based training in       2011, which will enable automated\ntracking and reporting on who has received training. In addition, we are updating our\npolicies and procedures to reflect new      guidance this area. Moreover, we are\nenhancing the information security and awareness training program to provide role-based\ntraining       it is needed.\n\n16.                                       document, and publish ,"""",,,<,,,,",,,,\xc2\xad\nOIT provides to the                 that are acceptable to  information "\'t<.~""v; owners. \n\n(OIG Control Number FS-07-06) \n\n\nResponse: \t                                see   f\'PQ,C\\rWI                        #1, above.\n\n17. \t                                 implement an\n            potential \t        posed    locating the \n\n              US. (OIG Control # FS-I0-0l) \n\n\nResponse:      Management agrees.             immediacy the recommendation,\nmanagement analyzed the situation and concluded that no significant additional risk is\nposed to the             that        uses. Results of             and conclusions are\ndocumented with the Security Plan for PLUS.                                to discuss\n    further with OIG.\n\n18.   Recommendation: Review PBGC contracts to ensure contractors are required to\ncomply with    information security standards and FISMA. (OIG Control # FS-lO-\n\n\nResponse:       Management            Management will                             contract with\nState         Corporation to ensure that the contractor is                     FISMA compliant.\n\n19.     Recommendation: Develop and                                   and MOU with\norganizations whose             COIU1ect to PBGC\'s                             System (CFS).\n(OIG Control # FS-1O-02)\n\n\n\n                                                 4\n\n\x0cResponse: Management               developing and implementing   appropriate,\nrelevant        with =v"o....~~ organizations whose       connect with\n\nl4LlL"-"\'\'\'\'\'\' Controls and Configuration Management\n\n20. \tRecommendation: Develop                  procedures and processes     the\n              implementation of common configuration             controls to\n                                 in general      systems. (OIG Control Number\n    FS-07-07)\n\nResponse: \t               agrees.         see response to Recommendation 1, above.\n\n21. \t Recommendation: Develop and implement a\n                      and a framework for implementing common\n                               related to access control by        system\n               user account management for all ofPBGCs information\n(OIG Control Number FS-09-12)\n\nResponse: Management                Please see the             to Recommendation # I, above.\n\n22. \t   Recommendation: Establish baseline configuration standards               of\n          (OIG Control Number FS-09-13)\n\nResponse: Management                       see response to \t                   #1,\n\n23.    Recommendation:              configuration settings and document\ndiscrepancies \t the           configuration baseline. Develop      implement corrective\n                           not meet PBGC\'s configuration standards. (OIG Control\n\n\nResponse: \t                         Please see resno:nse to Recommendation # 1,\n\n24.    Recommendation:                  development     production              are\nappropriately \t     to      "\'rf\'t",.~t     information    also fully utilized to\n                                 (OIG Control Number FS-09-15)\n\nResponse: Management agrees. Please see                 to Recommendation # 1,\n\n25.    Recommendation: Establish interim procedures to implement available\ncompensating controls (such as establishing a test team to verify developer        in\nproduction) until a comprehensive solution to adequately                 development and\nproduction databases can be implemented. OIG Control Number FS-09-16)\n\nResponse: Management \t                    see           to Recommendation # 1, above.\n\n\n\n\n                                                5\n\n\x0c26. Recommendation: Continue to remove unnecessary user and/or generic accounts.\n(DIG Control Number FS-07-0S)\n\nResponse: Management agrees. Please see response to Recommendation #} , above.\n\n27. Recommendation: Consistently implement controls to appropriately segregate\nduties and grant rights and privileges commensurate with the job functions and\nresponsibilities. (DIG Control Number FS-07-09)\n\nResponse: Management agrees. Please see response to Recommendation #}, above.\n2S.     Recommendation: Assess the risk associated with lacking segregation of duties,\npassword management, and overall inadequate system configuration. Discuss risk with\nsystem owners and implement compensating controls wherever possible. If\ncompensating controls cannot be implemented the system owner should sign-off\nindicating risk acceptance. (DIG Control Number FS-09-17)\n\nResponse: Management agrees. Please see response to Recommendation #}, above.\n\n29.    Recommendation: Appropriately restrict developers\' access to production\nenvironment to only temporary emergency access. (DIG Control Number FS-07-10)\n\nResponse: Management agrees. Please see response to Recommendation #}, above.\n\n30.     Recommendation: Assess developers\' access to production on all PBGC\nsystems and determine if access is required based on the security principles "need to\nknow and least privilege". If developers require access to a specific application, the\nreason should be documented and management should sign-off indicating acceptance of\nthe risk(s). In all other instances developer access to production should be immediately\nremoved. (DIG Control Number FS-09-1S)\n\nResponse: Management agrees. Please see response to Recommendation #}, above.\n\n31.     Recommendation: Consistently apply controls to ensure that authentication\nparameters for PBGC\'s general support systems (e.g. Novell, Windows, Sun Solaris,\nOracle, etc.) and applications are in compliance with the IAH. (DIG Control Number\nFS-07-11)\n\nResponse: Management agrees. Please see response to Recommendation #} , above.\n\n32.    Recommendation: Implement a manual review process whereby OIT\nperiodically reviews systems for compliance with baseline settings. (DIG Control\nNumber FS-09-19)\n\nResponse: Management agrees. Please see response to Recommendation #}, above.\n\n\n\n\n                                            6\n\n\x0c33.   Recommendation: For the remaining systems, apply controls to lock out and\nremove inactive and dormant accounts after a specified period in accordance with the\nlAB. (OIG Control Number FS-07-12)\n\nResponse: Management agrees. Please see response to Recommendation # 1, above.\n\n34.      Recommendation: Complete the implementation of the recertification process\nfor all user and system accounts. Continue to perform annual recertification and include\nall PBGC\'s accounts (e.g. user, generic, service, and systems accounts) for general\nsupport systems and major applications. (OIG Control Number FS-07-13)\n\nResponse: Management agrees. Please see response to Recommendation # 1, above.\n\n35.     Recommendation: Implement controls to remedy vulnerabilities noted in key\ndatabases and applications such as weaknesses in configuration, roles, privileges,\nauditing, file permissions, and operating system access. (OIG Control Number FS-07\xc2\xad\n14)\n\nResponse: Management agrees. Please see response to Recommendation # 1, above.\n\n36.     Recommendation: Implement controls to remedy weaknesses in the deployment\nof servers, applications, and databases in the development, test, and production\nenvironments. (OIG Control Number FS-09-20)\n\nResponse: Management agrees. Please see response to Recommendation # 1, above.\n\n37.    Recommendation: Ensure that adequate documentation of access authorization\nis maintained by implementing proper monitoring and enforcement measures in\ncompliance with approved policies and procedures. (OIG Control Number FS-07-15)\n\nResponse: Management agrees. Please see response to Recommendation # 1, above.\n\n38.    Recommendation: Update and enforce directive PM 05-1, PBGC Entrance on\nDuty and Separation Procedures for Federal and Contract Employees, to ensure contract\npersonnel can be tracked effectively. Also, ensure a formal Entrance on Duty and\nSeparation Clearance process is followed. (OIG Control Number FS-07-16)\n\nResponse: Management agrees. PBGC Directive PM -05-1, Entrance on Duty and\nSeparation Procedures for Federal and Contract Employees was updated and\ndisseminated to PBGC Federal and Contract employees on October 19,2010. This\nupdate enhances Internal Controls for the tracking of PBGC Contractors and reflects a\nmore aggressive strategy for the tracking of Contractors at PBGC. The Internal Controls\nestablishes accountability to the Contracting Officer\'s Technical Representative for the\ntimely entrance on duty and separation of Contractors, as well as the documentation of\ntheir tenure at PBGC.\n\n\n\n                                            7\n\n\x0c39.     Recommendation: Implement a logging and monitoring process for application\nsecurity related events and critical system modifications (e.g. CFS, PAS, T AS, PRlSM,\nand IPVFB). (OIG Control Number FS-07-17)\n\nResponse: Management agrees. Please see response to Recommendation #1, above.\n\n40.   Recommendation: Replace the Citrix MetaFrame presentation server. (OIG\nControl #FS-IO-04)\n\nResponse: Management agrees. PBOC will work with its paying agent to replace Citrix\nor come up with an interim solution until PLUS Web is deployed in 2011. PBOC will\nalso consider including this in the boundary when future C&A\'s are completed.\n\n41.     Recommendation: Include the application virtualizationJapplication delivery\nproduct used by the benefits payments service provider to access the PLUS application in\nthe system boundary. (OIG Control #FS-IO-05)\n\n\nResponse: Management agrees. Please see response to Recommendation #40, above.\n\n42.   Recommendation: Configure TeamConnect to ensure the integrity of the nightly\npremium output batch file error log. (OIG Control #FS-IO-06)\n\nResponse: Management agrees.\n\nIntegrated Financial Management Systems\n\n43.     Recommendation: PBOC needs to develop and execute a plan to integrate its\nfinancial management systems in accordance with OMB Circular A-l27. (OIG Control\nNumber FS-07-18)\n\nResponse: Management agrees and appreciates the OIO\'s acknowledgement of PBOC\'s\nsignificant accomplisrunents to date. During FY 2010, the Financial Operations\nDepartment (FOD); Office of Information Technology and other PBOC Departments\ncontinued to follow through with PBOC\'s Corrective Action Plan (CAP) in several areas,\nas discussed below.\n\nFirst, PBOC completed segment architectures for all segments contmnIng financial\nmanagement system functions, including the Consolidated Financial System (CFS);\nPremium Accounting; Benefits Administration; Procurement; and Budget. Moreover,\nthe FOD has prepared and submitted to the Office of Management and Budget (OMB)\nExhibit 300s for CFS and Premium Accounting that provide detailed plans for\ndevelopment, modernization, and enhancement efforts that are geared toward integrating\nthe financial management systems. We believe the high level segment architectures,\nalong with the more prescriptive Exhibit 300s constitute a solid roadmap to address this\nrecommendation.\n\n\n                                           8\n\n\x0cSecondly,            implemented significant eruJarlceme\'ms and\nefforts to the Premium Accounting                      during FY\ncompletion of this        modernization       is a         milestone in PBGC\'s long term\nplan to replace and                                The PAS modernization effort provided\nmajor functional and technical                  areas of: (l) PPA            changes; (2)\nupgrade     the Letter Generation                     (3) improvements to the DOL Form\n5500             (4) Plan                           Reporting; and (5)         migration\nfrom Oracle 8i to I\n\nGoing forward, PBGC has already planned       improvements to its         System.\nIn    FY    12 budget submission,       requested     funding to complete its new\npremium system that is planned for implementation        November 2013. When\ncompleted,           will address a cornerstone of PBGC\'s            management\n            a modem and integrated         accounting\n\nThird,     FaD started            FY 10 to implement a new       Accounting System\n(TAS). The T AS           is intended to     existing technology\n                     and Portfolio              and\ncomprehensive, modem,\nof trusteed plans. The T AS\n2012.\n\n    FY 2010, the FaD also               to modernize       manual interface           the\nConsolidated             System (CFS) and the                Suite (Procurement System)\nthat is scheduled to       implemented in         2011. When completed, this electronic\n          should upload obligating documents from the Comprizon Suite to the CFS,\nthereby eliminating the need to manually record obligations, eliminating duplicate entry,\nand          the risk of inaccurate financial information.\n\nLastly, in    2011,       will be implementing electronic interfaces between the (1)\nand FedTraveler (Travel Management System) and          (2)       and the Federal Personnel\nPayroll System (U.S. Department Interior Payroll System).               interface\n                                                                               ."TTI\',..,.\'"\n\n\nshould complete integration the remaining         applications that now interface\nmanually with the CFS, thereby eliminating manual processes to record travel and payroll\ninformation,             duplicate entry, and               risk of inaccurate financial\ninformation. Also         FY      I,    FaD will be implementing Electronic Invoicing to\n      and automatically route          for approval to           the\n           vendor invoices      payment.\n\n\n\n\n                                             9\n\n\x0cIf you want to report or discuss confidentially any instance\n of misconduct, fraud, waste, abuse, or mismanagement,\n      please contact the Office of Inspector General.\n\n\n\n                       Telephone:\n            The Inspector General\xe2\x80\x99s HOTLINE\n                    1-800-303-9737\n\n  The deaf or hard of hearing, dial FRS (800) 877-8339\n   and give the Hotline number to the relay operator.\n\n\n\n                           Web:\n       http://oig.pbgc.gov/investigation/details.html\n\n\n\n                         Or Write:\n          Pension Benefit Guaranty Corporation\n               Office of Inspector General\n                     PO Box 34177\n             Washington, DC 20043-4177\n\x0c'